CCI-003112

Require the developer of the system, system component, or system service to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.

Implementation Guidance

The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service produce a plan for the continuous monitoring of security control effectiveness that contains the level of detail defined in SA-4 (8), CCI 3113.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce a plan for the continuous monitoring of security control effectiveness that contains the level of detail defined in SA-4 (8), CCI 3113.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation plans for the continues monitoring of security control effectiveness and contains organization-defined level of detail.

The controls below (if any) were marked by NIST as being related to CCI-003112.